Professor Eugene Spafford at Purdue University, the father of the field of Internet security, has some takes on this year's RSA conference:
I have now attended 13 of the last 18 RSA Conferences (see some of my comments for 2016, 2015, and 2014). Before there were RSA conferences, there were the Joint National Computer Security Conferences, and I went to those, too. I’ve been going to these conferences for about 30 years now.
[...] I am giving serious thought to this being my last RSA Conference — the expense is getting to be too great for value received. The years have accumulated and I find myself increasingly out of step here. I want to do what is right — safe, secure, ensuring privacy — but so much of this industry is built around the idea that “right” means creating a startup and retiring rich in 5 years after an M&A event. I don’t believe that having piles of money is how to measure what is right. I will never retire rich; actually, because I will never be rich, I probably can’t afford to retire! I am also saddened by the lack of even basic awareness of what so many people worked so hard to accomplish as foundations for others to build on. We have a rich history as a field, and a great deal of knowledge. It is sad to see that so much of it is forgotten and ignored.
(Score: 1, Insightful) by Anonymous Coward on Sunday March 10 2019, @11:51PM (2 children)
"I saw a few vendors who effectively claimed they supported customers keeping longer audit logs that could be examined to find evidence once a breach was discovered. Think about that — the assumption is that assembled products can’t protect an enterprise well enough, or respond quickly, so that a months-long record is needed to find out when and why the failure occurred. Furthermore, that idea is normalized enough that there are companies that can sell products & services around it. Crazy."
I was starting to hear "Assume breach" as a maxim a decade ago at least.
(Score: 2) by krishnoid on Monday March 11 2019, @12:11AM (1 child)
Security is one of the areas where the state of the art is always in flux, and the only one where you're actively defending against (no offensive ventures allowed, remember?) a continuously adapting enemy. Assembled, protect, enterprise, 'well enough', failure -- when you're a big target and are fighting off attackers, the definition of these terms and how well your assailants hide evidence is continuously changing to avoid your detection efforts.
if he had the money to retire and spent his time lobbying the government to require that companies carry cybersecurity breach insurance to do business with the government, we'd start seeing actuarial tables, insurance products, and this whole landscape change in a year.
(Score: 2) by MostCynical on Monday March 11 2019, @02:38AM
Companies aldready manage risk: if "cost of dealing with potential threat is greater than $0, or, will delay launch/VC meeting by more than 1 hour, do it "later" (and don't add it to any documentation)"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex